Shulou(Shulou.com)06/01 Report--

This article is about how to use GPG encryption to make your information safe and secure. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

GPG has been an open source and free encryption and digital signature software for many years. It can not only provide encryption protection for important information between enterprises and individuals, but also carry out digital signatures for published software, kernel and other electronic products to prevent products from being tampered with and ensure information security to the maximum extent.

As an important means to protect information confidentiality, integrity and non-repudiation, encryption and digital signature have been widely used in a variety of information communication situations. At present, there are many commercial encryption and digital signature products, such as commercial software PGP (Pretty Good Privacy).

In addition, there are some free encryption and digital signature software in the open source code base, of which the most recognized is GPG (GNU Privacy Guard). GPG is a completely free, open source code, and fully compatible with PGP software product. Today, GPG already has a large number of corporate and individual users.

In China, because the awareness of information security and privacy protection is still relatively weak, the use of PGP or GPG in business and individual users is not common. With the increase of problems and even litigation caused by information security and privacy, more and more enterprises and individuals begin to pay attention to the solution of security problems.

However, due to non-professional users' fear of concepts such as signature and encryption, the application of GPG is still limited to IT technicians. This article will explain how to apply GPG in Linux environment, and provide help for enterprises and individual users to apply GPG.

Establish a GPG environment

As an open source tool for encryption and digital signature, GPG software comes with many Linux distributions. In the case of default installation, gpg is pre-installed as a basic command.

If the Linux distribution you choose does not have GPG installed by default, you can install it through the tar package or the RPM package, which can be downloaded from http://www.gnupg.org/download/. The installation process is relatively simple, which is omitted here.

It is also easy to determine whether GPG is installed or not. Enter the "gpg-h" command directly from the command line, and if the system already has GPG installed, it will display information about the use of GPG.

Once you have confirmed that GPG is installed on the Linux system, you can begin the following encryption and signing work.

Generate key

When users apply GPG, they must first have a pair of their own keys. So, the first step is to generate a pair of keys. The gpg command provides almost all the operations you need with a large number of arguments. The parameter "- gen-key" is used to generate a pair of keys. You can run the following command on a Linux system with GPG installed:

# gpg-gen-key

If you want to personalize the operation that generates the key, you can add other parameters. For example, to specify the location where the generated key is stored, run the following command:

# gpg-gen-key-homedir / mygnupg

After the command starts running, first, you will see the version and path information as follows:

Gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

Under certain conditions. See the file COPYING for details.

Gpg: / home/terry/.gnupg: directory created

Gpg: new configuration file `/ home/terry/.gnupg/gpg.conf' created

Gpg: keyblock resource `/ home/terry/.gnupg/secring.gpg': file open error

Gpg: keyring `/ home/terry/.gnupg/pubring.gpg' created

You then need to answer a series of questions to help generate a pair of keys. The first problem encountered is that you are required to choose an algorithm to use the key:

Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(5) RSA (sign only)

Your selection? 1

Among them, DSA is a digital signature algorithm, RSA and ElGamal are two asymmetric key algorithms with different principles. You can usually select "1" so that the generated key can be used for both signing and encryption purposes.

Next, you will be asked to select the length of the key:

DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.

Minimum keysize is 768 bits

Default keysize is 1024 bits

Highest suggested keysize is 2048 bits

What keysize do you want? (1024) 2048

Requested keysize is 2048 bits

The key lengths here are 768, 1024 and 2048 bits. Obviously, the longer the key, the more secure it is, but too long will affect the speed of use. Therefore, you can choose the appropriate length according to different needs. The author pays more attention to security in the application, so I choose the longest 2048-bit key.

In addition, you need to set the time when the key expires:

Please specify how long the key should be valid.

0 = key does not expire

= key expires in n days

W = key expires in n weeks

M = key expires in n months

Y = key expires in n years

Key is valid for? (0) 1y

Key expires at Sat 10 Sep 2005 01:48:07 PM CST

Is this correct (YBO)? Y

In principle, the more frequently the key is used, the longer the key is valid, and the more likely it is to be used. Therefore, an appropriate length of time should be determined according to the actual situation of the application. It is important to note that keys should be changed regularly, and it is recommended that you never use the same pair of keys forever.

Finally, you need to enter some personal information, including your real name, e-mail address, etc., to identify the key, preferably truthfully. For example:

Real name: Terry Yu

Email address: terry@mykms.org

Comment: for test

You selected this USER-ID:

"Terry Yu (for test)"

Change (N) ame, (C) omment, (E) mail or (O) kay/ (Q) uit? O

Then, you must enter a password. The password is used to protect the key, without which no one can see the contents of the key itself. The password is the only security measure after the key file is leaked, and its greatest enemies are brute force cracking and dictionaries. Therefore, be sure to choose a strong password to effectively combat these *.

After the password is determined, the system begins to operate:

We need to generate a lot of random bytes.

It is a good idea to perform some other action

(type on the keyboard, move the mouse, utilize the disks)

During the prime generation

This gives the random number generator a better

Chance to gain enough entropy.

.. +.. +. +

At this time, you need to casually tap the keyboard or move the mouse to generate some random numbers to assist in the smooth generation of the key. Note that without the above actions, it is likely that the key will not be generated in the end.

After the system operation is complete, a message similar to the following appears:

Gpg: / home/terry/.gnupg/trustdb.gpg: trustdb created

Public and secret key created and signed.

Key marked as ultimately trusted.

Pub 1024D/6AE573B5 2004-09-29 Terry Yu (for test)

Key fingerprint = 0D58 408E 344F BB7B AB95 D000 82B7 8324 6AE5 73B5

Sub 2048g/94BF182C 2004-09-29 [expires: 2005-09-29]

Pub 1024D/7234E374 2004-09-10 Terry Yu (for test)

Key fingerprint = A58F D71A 28BA 499D 805B 588E 82FB CD0F 7234 E374

Sub 2048g/4907EA0A 2004-09-10 [expires: 2005-09-10]

The above information indicates that it has been successfully called "Terry"

Yu "generates and signs a pair of keys with an expiration time of" 2005-09-10 ". When the key is generated, the. Gnupg directory of the default user directory also stores the

GPG configuration and key storage file. These files control the user's GPG environment, and users cannot modify these files directly. All changes will be made through the "gpg" command.

View key

After the key is generated, you can check it at any time with the following command.

View all keys:

# gpg-list-key

View all public keys:

Gpg-list-public-key

View all private keys:

Gpg-list-secret-key

List all signatures:

Gpg-list-sig

Export public key

In the asymmetric encryption system, the private key is kept by the user, while the public key is public. After generating the key pair, the user needs to export the public key to a file and distribute it to other users.

The method of exporting the public key is simple and can be done through the "- export" argument of the gpg command. In order to make the exported file ASC Ⅱ encoded, you also need to add the parameter "- a". For example, to export a Terry Yu ASC Ⅱ-encoded public key file, you can use the following command:

# gpg-- export-a terry@mykms.org > terry.asc

This command finally generates the ASC Ⅱ-encoded public key file terry.asc as shown in figure 1.

Figure 1 Public key file terry.asc

Distribute the public key

This file containing public key information needs to be distributed, and the terry.acs file can be distributed to all people who have information communication needs with the user in various ways.

The easiest way to distribute is to make the file available for download on the Internet. The problem with this approach is that the site where the public key file is published must be a reliable site. In practical application, similar practices are very common.

For example, the public key of Red Hat is published on its official website, which can be downloaded by anyone and used to verify the signature of the software released by Red Hat.

Import public key

As a user, you will also receive other people's GPG public keys, which may come from websites, e-mails, FTP, directory services, etc., as long as you trust their sources, you can import them into your own GPG environment, and then you can carry out various GPG-based applications with the appropriate people. The process of importing a public key can be divided into the following three steps:

1. Import

For example, if Terry receives the public key file brian.gpg of a friend Brian, you can import the file using the following command:

# gpg-import terry.gpg

2. Check "fingerprint"

The public key can be forged. James can forge a public key of Brian, and then find a way to make

Terry gets. If Terry does not authenticate the received public key, the encrypted message he sends to Brian may be decrypted by James. There is no such certificate as PKI in the architecture of GPG.

In the book management system, the public key trust of GPG is realized through "Truth Web".

Generate the "fingerprint" of the Terry public key:

# gpg-fingerprint terry@mykms.org

Pub 1024D/7234E374 2004-09-10 Terry

Yu (for test)

Key fingerprint = A58F D71A 28BA

499D 805B 588E 82FB CD0F 7234 E374

Sub 2048g/4907EA0A 2004-09-10 [expires: 2005-09-10]

This fingerprint is the only one. You can determine whether the public key is credible and legal by checking with the other party whether the "fingerprint" is consistent.

3. Signature

Sign the public key immediately after it is successfully imported and it is determined that the public key is transferable. In this way, you can verify the authenticity of the email from the other party.

You can use the following command to sign the public key:

# gpg-sing-key brian@mykms.org

Or

# gpg-edit-key name

# command > sign

Check the other party's email, such as the signature of Brian:

# gpg-check-sigs brian@mykms.org

Now that you have the Brian-signed public key, you can communicate with Brain with asymmetric encryption through this public key.

Apply GPG

GPG uses an asymmetric key system in which the user has a pair of keys, including a public key and a private key. The public key is made public, while the private key is kept by itself. Data encrypted with a public key can be decrypted with a private key, just as data encrypted with a private key can be decrypted with a public key.

Asymmetric keys can be used for encryption and digital signature. When the user is concerned about the confidentiality of the information, the encryption function is used; when the user is concerned about the integrity and non-repudiation of the information, the digital signature function is used; when the user needs to pay attention to the confidentiality, integrity and non-repudiation of the information at the same time, encryption and mathematical signature can be mixed.

After a brief understanding of these cryptographic concepts, you can begin real application practice.

Encrypt and digitally sign files

Graphical encryption operations are provided in KDE. For example, to encrypt a file in KDE, simply select the file in the KDE file manager Konqueror, right-click and select "Encrypt File" in "Actions" to encrypt the file. The encrypted file ends with .asc.

Without much introduction to the graphic encryption operation, we will focus on the command line operation mode, and introduce the operation methods of various file encryption and signature under the command line.

1. Digitally sign the file

# gpg-clearsign policy.txt

You need a passphrase to unlock the secret key for

User: "test (test)"

1024-bit DSA key, ID ADD93830, created 2004-07-01

Run the above command to generate a file called report.txt.asc, which contains digital signature information in addition to the original file information.

2. Verify the digital signature of the file

# gpg-verify policy.txt.asc

Gpg: Signature made Thursday 04 November 2004 15:58:07 UTC using DSA key ID ADD93830

Gpg: Good signature from "test (test)"

The result of running the above command shows that the signature is correct.

3. Encrypt the file with the specified public key

# gpg-- encrypt-r terry@mykms.org report.txt

Gpg: checking the trustdb

Gpg: checking at depth 0 signed=0 ot (- / q/n/m/f/u) = 0 *

Gpg: next trustdb check due at 2005-09-10

Run the above command to encrypt the report.txt file with your own public key and generate the encrypted file report.txt.gpg. If you use editing software to open the encrypted file, you will find that it contains some incomprehensible characters and garbled code.

4. Decrypt encrypted files with private key

# gpg-- decrypt report.txt.gpg > report.txt

You need a passphrase to unlock the secret key for

User: "test1 (unclassfication)"

2048-bit ELG-E key, ID 33735683, created 2004-09-29

(main key ID 79EB3D97)

Gpg: encrypted with 2048-bit ELG-E key, ID 33735683

Created 2004-09-29

"test1 (unclassfication)"

The above command requires the protection password corresponding to the private key to be successfully decrypted, and the contents of the decrypted file are output to the report.txt file.

5. Use the public key to sign and encrypt files at the same time

# gpg-se-r test@yahoo.com.cn report.txt

You need a passphrase to unlock the secret key for

User: "test (test)"

1024-bit DSA key, ID ADD93830, created 2004-07-01

The above command requires you to enter the protection password corresponding to the private key. After entering the correct password, the signature and encryption are completed successfully.

These are common commands for applying GPG signatures and encrypting files. For more detailed usage, please refer to the GPG help file.

Encrypt and digitally sign e-mail

In fact, the most common application of GPG is in the encryption and digital signature of e-mail. Many email client software support PGP/GPG encryption and digital signature. Taking Kmail as an example, this paper introduces how to set up Kmail and use Kmail to send encrypted and digitally signed e-mail.

Kmail

Is an email client in a KDE environment, similar to Outlook in Windows

Express . Select "Settings → Configure-Kmail → Identites" in the menu, select an identity, and click "Modify" to edit it.

Series. Select the "Advanced" tab, and you can see an interface similar to figure 2.

Figure 2. Setting interface of Kmail

Where the "OpenPGP Key" entry is the PGP or GPG key corresponding to the identity, and you can click the "Change" button to select the corresponding key pair from the GPG environment.

After saving, the setting of GPG is complete. Try writing an email, as shown in figure 3. The "pen tip" icon in the toolbar indicates that the message is digitally signed, the lock icon next to it indicates encryption, and if both icons are concave, both encryption and digital signature are used.

Figure 3 E-mail using digital signature

When sending an email, Kmail asks for a protection password for the corresponding key, as shown in figure 4.

Figure 4 requires a key protection password

After entering the protection password correctly, a confirmation window pops up, as shown in figure 5.

Figure 5 confirmation window

After confirming that the content is correct, click the "OK" button, and an e-mail with a digital signature will be sent successfully. Sending encrypted messages and sending messages that are both encrypted and digitally signed are similar.

Software package signature verification

For Linux publishers such as Red Hat, they often use GPG to sign released packages. Users can verify the signature of the package to ensure that the resulting package is not damaged or has been tampered with by others.

Verifying the GPG signature of a download package can be done by following these steps:

1. Get the public key of the software publisher from the Internet download or other means, and import it into your own GPG environment.

2. Confirm the public key by comparing the "electronic fingerprint" and sign the public key.

3. Use the following command to verify the GPG signature of the package:

# gpg-verify singaturefile.tar.gz taballpackage.gz

If the software is in RPM format, you can also verify it using the following command:

# rpm-Kv your.rpm

Key management

The application of GPG in encryption and signature is introduced before. in the process of application, users should pay attention to

Pending key management problem. GPG's keys use a trust mechanism, and there is no central PKI that can help publish and verify GPG users' public keys. In order to prevent public key cheating and ensure the non-repudiation of public key

(Non-repudiation), there needs to be a mechanism for management. Here are some useful suggestions for reference.

◆ backs up the private key

Once the private key is lost or corrupted, a previously encrypted file cannot be opened. Moreover, even if you know that the private key has been abused by others, you cannot expire your own public key. With the backup of the private key, such risks can be effectively avoided.

◆ establishes a public key mechanism with expiration protection

In case the private key is lost and the public key cannot be recovered manually, the public key can also expire automatically after a predetermined time.

◆ adds strong password protection to the private key

In this way, there is password protection even if the private key file is leaked. Protection passwords must be complex enough to effectively combat brute force cracking.

◆ multiple mechanisms

There is multiple control to recover the key in case of emergency.

◆ uses version control software

Use version control software to collect and maintain your own public key store. Version control software can effectively record historical changes and ensure that the public key library is orderly.

Thank you for reading! This is the end of the article on "how to use GPG encryption to ensure your information security". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.